Cyber Security Institute

Thursday, September 28, 2006

Oracle Promises Security In Fusion But Customers Will Have To Wait

Oracle announced its next steps in its security strategy, disclosing plans to integrate security into its applications line and broaden Secure Enterprise Search.  Oracle has spent a lot of money to ensure it’s taken seriously as a security vendor, buying up a number of access management, identity management, and other security software makers.  At a security strategy briefing Wednesday, Oracle promised to integrate security into the Fusion applications it will make available beginning in 2008.  On the database side, the company offers its Advanced Security Option for data encryption, Database Vault for protecting against insiders seeking to abuse their data access privileges, Label Security for designating data for different levels of security, and Secure Backup for encrypting backup tapes.  Oracle also covers a variety of identity management capabilities, including directory services, authentication, Web-services access control, and single sign-on for multiple applications.


One in three managers snub mobile security

Fewer than 40 per cent of companies enforce a security policy for employees with mobile devices, an industry report has found.  Worse still, 35 per cent of general managers believe that a security policy for mobile use is not vital, and one in five IT managers agree with them, according to figures from the Securing The Enterprise study released by Orange Business Services.


Virtual desktop security close to reality

IT security vendor Symantec Corp. and Intel Corp. are collaborating to bring the benefits of virtualization technology to desktop security, executives from the two companies announced at the Intel Developer Forum in San Francisco.  Symantec will release, next year, a new intrusion prevention system (IPS) called Virtual Security Solution, which is installed on a virtual machine running on PCs with Intel vPro technology.  Computers equipped with vPro technology, and loaded with Intel’s Core 2 Duo processor, use hypervisor to create a virtual machine running alongside the host operating system, explained Leo Cohen, vice-president and fellow at Symantec’s security technology group.  By taking the intrusion prevention system and running it on a virtualized environment, security controls become independent of the operating environment and less vulnerable to targeted attacks aimed at weakening or disabling security controls in an operating system, said Cohen.


Testing for Security in the Age of Ajax Programming

Ajax (Asynchronous Javascript and XML) allows a web page to refresh a small portion of its data from a web server, rather than being forced to reload and redraw the entire page as in traditional web programming.  Since they can make frequent, small updates, web applications written with Ajax programming can present user interfaces that are more like desktop applications, which are more natural and intuitive interfaces for most users. 
The flexibility and creativity that Ajax programming affords the developer also places a corresponding burden on him to ensure that his code is secure against these new threats.  The QA team will now need to develop an entirely new set of functional, performance and security testing methods in order to thoroughly test the quality of applications using Ajax programming against SQL injection attacks and other security concerns.


Wednesday, September 27, 2006

Protecting corporate reputation a key aim of IT security

A global survey has found Canadian companies are more concerned with protecting their reputations than their global competitors when they spend on information security.  “Poor information security that loses data such as customer profiles can seriously affect a company’s brand,” says Greg Murray of PricewaterhouseCoopers.  The study found that 67 per cent of Canadian organizations actively engage both business and IT decision-makers in addressing information security issues, compared to 52 per cent worldwide.  When it comes to overall spending, 48 per cent of companies said their information security budgets will increase in 2006, while 42 per cent said it will stay the same.


Monday, September 25, 2006

Browser security holes surging in 2006

TheSymantec’s twice-yearly Internet Security Threat Report, found that 47 bugs in Firefox and 38 bugs in Internet Explorer had been discovered in the first six months of this year - up significantly from the 17 and 25 bugs found respectively in the previous six months.  Even Apple’s Safari browser saw its bugs double, from six in the last half of 2005 to 12 in the first half of 2006.  Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much.  According to the report, 31 percent of attacks during the period targeted more than one browser, and 20 percent took aim at Mozilla’s Firefox.


Computer Virus Writers Plan Slow Spread

In the past, virus writers seeking fame and attention wrote their malicious programs to spread as quickly and broadly as possible, boasting to colleagues when they manage to cripple hundreds of thousands of computers worldwide in a matter of hours.  But now, many writers are driven by money instead. They write code to turn the computers of unsuspecting individuals into “botnets”—networks for spreading junk e-mail or stealing financial data from others.  Security experts find that some are even taking measures to make sure their programs don’t spread too quickly or too broadly, lest they get detected and blocked.


Wednesday, September 20, 2006

Symantec Prepares For Shift To ‘Security 2.0’

As businesses evolve to rely more on the Web, the idea of “security” is fast giving way to “protection” in the eyes of Symantec Corp.  The company is embarking on a new strategy for helping businesses counter threats to their data and systems, while at the same time making systems available and easy to use for employees and customers, says Symantec CTO Mark Bregman.  More details are expected during an unveiling of Security 2.0 in October.  The strategy also calls for delivering enterprise-quality protection to consumers, including Internet parental control tools and data controls that dictate how personal information is collected and used, Bregman says.


New Gartner Hype Cycle Highlights Five High Impact IT Security Risks

Gartner, Inc. advised businesses to plan for five increasingly prevalent cyberthreats that have the potential to inflict significant damage on organisations during the next two years.  They are; targeted threats, identity theft, spyware, social engineering and viruses.  The hype cycle assesses the initial awareness, maturity, impact and market penetration of 35 IT security threats during the next ten years.  According to Amrit Williams, research director at Gartner, “We are seeing an increasingly hostile environment fuelled by financially motivated and targeted cyber attacks.


Thumb-sized leaks in corporate security

Proliferating flash drives and other personal memory devices are causing corporate IT managers to rethink data security policies and enforcement.  But the balance between corporate security and user convenience has never been more difficult to achieve, because ubiquitous thumb-size drives can hold gigabytes of corporate information.


Monday, September 18, 2006

Gartner: Security costs fall with good policies

Think in terms of threats, not regulations, analysts counsel.  Enterprises will increasingly face skilled IT criminals trying to infiltrate corporate networks for sensitive data stored in databases, but adopting new policies to evaluate risk should help drive the cost of defense down, computer security analysts said.  But many corporations are creating security policies based on government regulations rather than threats.  The result is policies that meet the auditors’ requirements but aren’t necessarily best for the overall security, said Jay Heiser, Gartner research vice president.


Friday, September 15, 2006

Web flaws race ahead in 2006

Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project.  A draft report on the latest numbers from the vulnerability database found that 4,375 security issues had so far been cataloged in the first nine months of 2006, just shy of the 4,538 issues documented last year.  Buffer overflows, a perennial favorite, fell to the No. 4 slot.  The jump in Web-based vulnerabilities is fueled by the simplicity of exploiting many of the most common Web vulnerabilities, the enormous number of Web applications freely available, and the difficulty in eradicating cross-site scripting flaws.  Moreover, while many of the vulnerabilities are easy to test for and find, independent security researchers are less likely to probe another group’s Web site to find the flaws, because doing so violates computer intrusion statutes.


Thursday, September 14, 2006

New IE hole revisits an old bug

Hackers have discovered a new vulnerability in Internet Explorer, and they’ve released code that could be used to attack users of Microsoft Corp.‘s popular browser.  To take advantage of the exploit code, attackers would first need to trick users into viewing a maliciously encoded Web page, but they could then run unauthorized code on a victim’s computer.  Symantec calls the bug “critical,” and Secunia rates the issue as “highly critical,” its most severe rating.


Wednesday, September 13, 2006

Two-thirds of phishing scams target single US bank

Customers of the Fifth Third Bank in America were the most at risk from phishing attacks in August, according to figures from antivirus firm McAfee.  Bank of America, Western Union, PayPal, Nationwide, Halifax and the Internal Revenue Service made up the top 10.  The most prevalent internet threat for August was the JS/Wonka Trojan, which downloads other pieces of malicious software onto the victim’s PC.


Guide to Intrusion Detection and Prevention (IDP) Systems (Draft) - Special Publication 800-94

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of potential incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.  Intrusion prevention is the process of performing intrusion detection and attempting to stop detected potential incidents.  Intrusion detection and prevention (IDP) systems are primarily focused on identifying potential incidents, logging information about them, attempting to stop them, and reporting them to security administrators.  In addition, organizations use IDPs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.


Putting Security in the Bank

Financial services companies are not only finding innovative ways to implement new security initiatives, they’re also finding innovative ways to fund them.  ABN AMRO Bank N.A. now requires all the bank’s application projects to allocate one percent of their funding to their security.  “If you have to mitigate security risk after the fact, it’s a costly exercise,” Bernik told attendees of the Cyber Security Executive Summit.  CISOs and risk management officials at major financial institutions speaking here say they are struggling to keep up with emerging threats and the ever-changing regulatory landscape.  They face not only phishing exploits, but emerging application-level security issues, client laptop security, and compliance with regulations like strong authentication for online banking, which banks must deploy by the end of the year, according to FFIEC regulations.


Tuesday, September 12, 2006

Survey: Most insider-related data breaches go unreported

Most insider-related security breaches go unreported, according to a new survey by Ponemon Institute LLC in Elks Rapids, Mich.  The main reason that happens is because companies don’t have the resources to tackle the issue, according to the National Survey on Managing the Insider Threat, sponsored by ArcSight Inc., an enterprise security management company in Cupertino, Calif.  “We found that many of the respondents in our study found that it was difficult, if not impossible, to identify all data breaches that exist—and over 79% of the respondents said one, if not more, insider-related security breaches at their companies go unreported,” said Larry Ponemon, chairman of Ponemon Institute.  Approximately 93% believe that the No. 1 barrier to addressing the data breach risk is the lack of sufficient resources, and 80% cited a lack of leadership, he said.


Symantec, Juniper Detail New Security Partnership

The two companies will share information and technological development operations to combine their respective expertise in providing network security products and services.  Security software market leader Symantec and networking giant Juniper Networks announced a new strategic partnership on Sept. 12 aimed at tapping into the two massive companies’ respective capabilities in defending corporate networks from outside attacks.  Labeled by the companies’ leading executives as a nonexclusive partnership of strategy and direction, the vendors said the primary benefit of the tie-up will be their ability to share information about emerging threats to help their customers prepare for attacks faster and more cost effectively.


Monday, September 11, 2006

Massive DoS Attacks Against ISPs On The Rise

Large scale denial-of-service attacks, growing in size and increasing in frequency, are the biggest threats to Internet service providers, a security company said.  ISPs are spending more to defend against massive denial-of-service (DoS) attacks than they are protecting themselves against highly-publicized worm attacks, Lexington, Mass.-based Arbor Networks reported in its annual survey of major providers.


Phishing reaches record numbers

The group is reporting 154 banks, financial companies, electronic retailers, or other organizations had their brands hijacked through phishing in July 2006 - a new record.  They also report to have found 23,670 total phishing websites used to commit identity theft, fraud and other malicious activity in July 2006. This number is second only to the record 28,571 phishing sites found in June 2006, and is nearly double the 14,135 phishing sites found in July 2005.  A number of phishing websites are in fact legitimate servers that were compromised through software vulnerabilities, exploited by hackers and covertly turned into illegal phishing sites - making the hackers more difficult to track.


Symantec consumer desktop upgrades likely to hit the enterprise

Symantec Corp. unveiled the 2007 editions of its consumer Norton AntiVirus and Internet Security desktop products, plus a third new offering called Norton Confidential that protects e-commerce transactions.  symantec often adds features to its consumer security software, which is sometimes purchased by small businesses, and includes those features in the enterprise editions that can be remotely managed. In Norton AntiVirus 2007, the consumer antivirus and antispyware product, a rootkit detection and eradication capability has been added that will likely become part of enterprise products.  Group product manager Craig Lane said Symantec has developed a methodology for scanning at the kernel level where rootkits attempt to lodge to detect and eradicating them. In addition, Norton AntiVirus 2007 will have a so-called zero-hour protection capability that will be updated whenever a vulnerability is identified for the Windows desktop.  While not intended to replace software patching, Symantec said this zero-hour protection is designed to block exploits that might occur before the patch process is completed.  The second upgraded product, Norton Internet Security 2007, will also adopt this rootkit-scanning technique as well as provide additional defenses, including desktop firewall and antiphishing protections. Norton Internet Security includes everything in Norton AntiVirus plus an additional firewall. Both 2007 editions run on Windows XP, with support for Microsoft Vista to be added when the new operating system ships.


Six sensible steps to keep disaster recovery real

Unless we’re living under skies of brimstone and hellfire, most companies shouldn’t have to replicate every piece of data to protect their business from the next cataclysmic event.  Nor should they necessarily have to cough up millions for a mirror site that traces every network transaction.  And let’s face it, unless you’re cyber-cynical, catastrophes are extremely rare.  Be that as it may, enterprises are increasingly being held accountable for their data and prudence points to being prepared.  They asked three experts what the most commonly overlooked elements are in today’s disaster recovery plans.


Saturday, September 09, 2006

Credit Card Giants Modify Security Specs

The world’s top credit card companies yesterday issued long-awaited revised security standards for their merchants, but some experts say they didn’t really improve the situation much.  The credit card giants also announced the formation of the PCI Security Standards Council LLC, a joint organization that will shepherd the compliance guidelines, develop a list of PCI-compliant vendors and products, and train auditors.


Thursday, September 07, 2006

SAP Pushes Compliance as Strategy

SAP wants companies to think of governance, risk and compliance (GRC) management in strategic terms.  The leading vendor of enterprise software, based in Walldorf, Germany, introduced an integrated set of solutions to help enterprises manage their GRC issues.  The solutions build on existing SAP solutions, as well as applications that SAP acquired when it purchased compliance solutions vendor Virsa in May.  The first solution, called GRC Repository, will allow companies to document and maintain GRC information, such as corporate policies, board of director minutes, regulations, compliance, control frameworks and key business processes in a central system of records.  The second solution, GRC Process Control, automatically aggregates business process risks for the entire enterprise, provides supporting evidence of compliance, pinpoints control violations to prioritize corrective action and prevents material weaknesses from developing and persisting.  The software will integrate automated control monitoring for SAP and non-SAP applications.  The third component of the offering, GRC Risk Management, helps enterprises implement collaborative risk-management processes.


Stolen Data’s Black MarketStolen Data’s Black Market

The targeted attack—designed to make a buck for the hacker or insider who initiates it—is in, in, in.  The “black market” for stolen computer data is growing by leaps and bounds, according to experts who study computer crime and corporate espionage.  “Before 1998, about 90 to 95 percent of all intrusions were done by individuals hacking out of curiosity,” says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix law firm.  “We’re seeing a rapid growth in cooperative attacks, where an insider works in concert with some sort of external source to make a financial gain,” says Brian Contos, chief security officer at ArcSight and author of the new book, Enemy at the Water Cooler, which outlines some of the recent trends and exploits in corporate computer crime.  “It’s not just hackers looking randomly for easy points of entry—these are attacks on specific companies.”


Wednesday, September 06, 2006

Winning the Compliance Game

The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what’s working and what’s not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec.  In the past year, about 85 percent of the organizations have been through one regulatory audit; 60 percent have been through two or more; and 80 percent, three or more.  Spending on IT security wasn’t drastically different between organizations with the best audit results and those with the worst.  The successful ones spent over 10 percent on security, and those with failures, six percent or less, Hurley says.


Researchers Challenge DOS Attack Data

Conventional wisdom about the sources and causes of denial-of-service (DOS) attacks—and the best methods for preventing them—could be completely wrong, a group of researchers said this week.  Researchers at the University of Michigan, Carnegie Mellon University, and AT&T Labs-Research said they have completed a study that debunks the widely-held belief that DOS attack traffic is usually generated by a large number of attack sources disguised by spoofed IP addresses.  In its study, the group found that 70 percent of DOS attacks are generated by less than 50 sources, and a relatively small number of attack sources account for nearly 72 percent of total attack volume.


Cisco, Microsoft Reveal Long-Awaited Network Access Control Plans

Cisco and Microsoft released closely held details about their two-year-old partnership to deliver integrated controls that prevent malware-infested computers from connecting into networks.  Cisco’s Network Admission Control, or NAC, technology will work with the Microsoft Network Access Protection, or NAP, capabilities available with the upcoming Windows Vista and Longhorn operating systems.  The result should be a breakthrough in integrated IT security when the whole package arrives in the second half of next year, the target date for Longhorn’s release.


Tuesday, September 05, 2006

Network security sales top $1.1 billion in 2Q06

Worldwide network security appliance and software sales are up 2% to $1.1 billion between the first and second quarter of 2006, and is forecast to grow 30% between 2005 and 2009, when it will reach $5.1 billion, according to Infonetics Research’s latest Network Security Appliances and Software report.


Friday, September 01, 2006

Survey: Data breaches difficult to spot, prevent

IT security professionals are struggling to detect and prevent data breaches, according to the results of a recent survey of 853 U.S. security executives conducted by the Ponemon Institute LLC.  Nearly two-thirds of security executives said they have no way to prevent a data breach, while most respondents said their organizations lack the accountability and resources necessary to enforce data security policy compliance, according to the Elk Rapids, Mich.-based think tank.  The study, conducted in June and July, was sponsored by Palo Alto, Calif.-based security firm PortAuthority Technologies Inc.  59% of respondents said they can effectively detect a data breach, but a staggering 63% don’t think they can prevent a data breach.